The Bazar loader has named malicious shortcuts "adobe" and mimicked communications software. īADNEWS attempts to hide its payloads using legitimate filenames. īad Rabbit has masqueraded as a Flash Player installer through the executable file install_flash_player.exe. īackdoorDiplomacy has dropped implants in folders named for legitimate software. īackConfig has hidden malicious payloads in %USERPROFILE%\Adobe\Driver\dwg\ and mimicked the legitimate DHCP service binary. ĪPT41 attempted to masquerade their files as popular anti-virus software. ĪPT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. ĪPT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. ĪPT29 renamed software and DLL's with legitimate names to appear benign. ĪPT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page. The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware. ĪppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity. Live Version Procedure Examples actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe Īoqin Dragon has used fake icons including antivirus and external drives to disguise malicious payloads.
0 Comments
Leave a Reply. |